Comprehensive suite of tools; scans SSL traffic; integrates with Entercept.
Only one power supply; management requires dedicated server.
Solid range of protection and SSL traffic decoding makes it ideal for web server protection. However, it's fairly complex to set up and configure.
McAfee's IntruShield 2700 fits into the middle of its range, offering 600Mbps of throughput. It has six Fast Ethernet and two GBIC ports for detection, and three Fast Ethernet ports for responses. You can install it in either tap mode or inline mode, where the box sits between the router and main network. In inline mode, it's recommended that you use the appliance's high-availability mode.
It also has a dedicated management port to wire into a dedicated management network, and optional dual power hot-swappable power supplies, although it is only provided with one.
While initial IP address deployment is done via the console port, you then have to turn to the IntruShield Manager application, which has to be installed on a Windows 2000 server. At first, this isn't as simple as web-based management, but it provides greater scalability, a single point of management and a better overall network view. Also, replacing a damaged sensor should be as easy as switching the hardware over. The default installation uses a MySQL database, but you could use an existing Oracle database.
The centralized management is also good for updates. The IntruShield Manager downloads the latest attack signature updates and distributes them to connected sensors, ensuring that the whole network stays up to date. The console can also be integrated with Entercept host-based IDS sensors, so you've got one place to look for all of your security alerts.
Management is through a Java-based application, so you can access the console from anywhere. It's friendly to look at, with a tree view providing quick access to all elements of the network.
Network protection comes via security policies. The management system has predefined policies, but it's easy enough to create your own as IntruShield offers three levels of protection: signature, for known attacks; anomaly, to detect zero-day attacks; and DoS analysis. Crucially, for web servers, the device can decrypt and inspect SSL traffic, providing protection against encrypted attacks.